Azure Log Discovery and Collection in USM Anywhere

When you use Azure Diagnostic logs to monitor your deployed assets, including Windows hosts, IIS, and the Azure SQL Database service, USM Anywhere automatically discovers and enables collection of these logs through Azure APIs. A USM Anywhere Sensor deployed in your Azure environment is preconfigured to automatically discover Azure Storage Tables and BLOBs containing these types of diagnostic logs. You can enable or disable the default log collection jobs from the Azure sensor Setup Wizard (see AZURE LOG COLLECTION) or within the USM Anywhere Scheduler (see Enable Defined Jobs).

To supplement the default log collection jobs and to add log collection for Azure Web Apps, you can also create custom log collection jobs that operate through the Azure sensor app.

Note: What an Azure log job collects depends on whether you granted contributor permissions to one of your resources or to your entire Azure subscription for the USM Anywhere application. Depending on the Azure Credentials configured for the deployed Azure sensor, the sensor could have access to individual resource groups or the whole subscription. For more details, see Creating an Application and Obtaining Azure Credentials.

Azure Monitor (formerly Azure Insights) provides base level infrastructure metrics and logs for most services in Microsoft Azure. It helps you to track user activities within an Azure subscription, including when users log on, deploy, or shut down VMs, and more. Through the Azure Monitor REST API, USM Anywhere captures those logs and creates events.

You do not need to perform a specific configuration of Azure Monitor in the Azure console for USM Anywhere to collect these logs. USM Anywhere automatically detects these logs and creates a job for Azure Monitor logs. When you complete the Log Collection step for your Azure sensor setup, you can enable this default job, which runs every 20 minutes.

You can also enable or disable this default job in the Job Scheduler. When you select the job in this page, you can review the history for the scheduled job.

Azure Security Center is an Azure service that continuously monitors your Azure environment and applies analytics to automatically detect a wide range of potentially malicious activity. It surfaces these detections as security alerts. Security Center performs this function by collecting data from your virtual machines, which is enabled for all virtual machines in your subscription by default. You can also customize this data collection in the Security Center policy.

You do not need to perform a specific configuration of the Azure Security Alerts in the Azure console to be able to collect these logs. USM Anywhere automatically detects these logs and creates a job for Azure Security Alerts logs. When you complete the Log Collection step for your Azure sensor setup, you can enable this default job, which runs every 20 minutes.

You can also enable or disable this default job in the Job Scheduler. When you select the job in this page, you can review the history for the scheduled job.

For individual VMs running IIS with Azure diagnostics enabled, you can designate storage for the IIS logs. USM Anywhere automatically detects these logs through the Azure APIs and Azure SDKs. For each Azure Storage Container locations with Azure IIS Logs that it detects, USM Anywhere creates a default log collection job. When you complete the Log Collection step for your Azure sensor setup, you can enable these default jobs, which run every five minutes.

Note: This type of IIS implementation is different than Azure Web Apps, which is a platform service and uses a different logging configuration. For information about collecting logs for web apps, see Azure Web Apps Logs.

You can also enable or disable this default job in the Job Scheduler. When you select the job in this page, you can review the history for the scheduled job. You could choose to disable this default job based on the IIS log locations that USM Anywhere discovers and create a custom Azure IIS log collection job for a location that you specify.

When you configure the new job, set the App Action option to Process Azure IIS Logs. You must also specify the Resource Group, Storage Account, and Blob Container for the custom log collection job. For more information about scheduling an Azure log collection job, see Creating a New Azure Log Collection Job.

For individual VMs running SQL Server with Azure diagnostics enabled, you can designate storage for the IIS logs. You must configure this to use Azure Table Storage. To simplify the tracking of related security issues, USM Anywhere treats the SQL service as an asset, and maps events and other security issues directly with the SQL service. When it detects Azure Storage Table locations with Azure SQL Server Logs, USM Anywhere creates a default log collection job for each. When you complete the Log Collection step for your Azure sensor setup, you can enable these default jobs, which run every five minutes.

Microsoft Azure has recently deprecated table storage and recommends that users select the BLOB storage option. However, you must use the Azure Tables storage option for your SQL Server logs to make them available for collection by the USM Anywhere Sensor.

If you want to supplement this automatic Azure log collection in USM Anywhere, you can create an additional Azure SQL Server log collection job.

When you configure the new job, set the App Action option to Process Azure SQL Server Logs. You must also specify the Resource Group, Storage Account, and Table Container for the custom log collection job. For more information about creating a new Azure log collection job, see Creating a New Azure Log Collection Job.

Azure App Service Web Apps is a fully managed compute platform that is optimized for hosting websites and web applications. A web app represents the compute resources that Azure provides for hosting a website or web application and these compute resources may be on shared or dedicated virtual machines (VMs). For each deployed web app in your Azure environment, you can enable diagnostic logging to capture and store the web server and application information.

Unlike the other supported Azure logs, the USM Anywhere Sensor does not perform an automatic discovery job for Web Apps to look for the storage location. If you want USM Anywhere to collect the log data for your Web Apps, you must create a new log job and specify the storage location parameters.

When you configure the new job, set the App Action option to Process Azure Web Apps Logs. You must also specify the Resource Group, Storage Account, and Blob Container for the custom log collection job. For more information about creating a new Azure log collection job, see Creating a New Azure Log Collection Job.

For individual VMs running Windows with Azure diagnostics enabled, Azure stores the Windows Events logs by default. USM Anywhere automatically detects these logs through Azure APIs and Azure SDKs. When it detects Azure Storage Container locations with Azure Windows Logs, USM Anywhere creates a default log collection job for each. When you complete the Log Collection step for your Azure sensor setup, you can enable these default jobs, which run every five minutes.

If you want to supplement this automatic Azure log collection in USM Anywhere, you can create an additional Azure Windows log collection job.

When you configure the new job, set the App Action option to Process Azure Windows Logs. You must also specify the Resource Group, Storage Account, and Blob Container for the custom log collection job. For more information about creating a new Azure log collection job, see Creating a New Azure Log Collection Job.